DEV Community

Cover image for 🎞️ This is how we maintain & release Secured Software on Github 🤖
opt-nc profile image adriens
adriens for opt-nc

Posted on • Edited on

🎞️ This is how we maintain & release Secured Software on Github 🤖

#github #java #security #devops

❔ About

As many organizations, we have to develop & maintain (aka. BUILD & RUN) common software.

☝️ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).

I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :

GitHub logo opt-nc / opt-logging

La librairie de référence pour générer des logs bien formatées à l'OPT.

semantic-release

SonarCloud Quality Gate Status

opt-logging

Cette librairie contient les 2 fichiers de configuration de logback préconisés pour les développements d'application à l'OPT-NC.

Toutes les logs sont dans le même fichier .log (${LOG_FILE}) à l'exception des logs métiers qui se trouvent dans un seul fichier .json (${LOG_FILE_JSON}) si le besoin est exprimé.

⬇️ Import de la dépendance publique

Cette dépendance est disponible publiquement via Jitpack.

🪶 Maven

Ajouter la repo Jitpack :

<repositories> <repository> <id>jitpack.io</id> <url>https://jitpack.io</url> </repository> </repositories>
Enter fullscreen mode Exit fullscreen mode

Puis la dépedance :

<dependency> <groupId>com.github.opt-nc</groupId> <artifactId>opt-logging</artifactId> <version>Tag</version> </dependency>
Enter fullscreen mode Exit fullscreen mode

🐘 Gradle

Ajouter la repo :

allprojects { repositories { ... maven { url 'https://jitpack.io' } } }

Puis la dépendance :

dependencies { implementation 'com.github.opt-nc:opt-logging:Tag' }

:octocat: Import de la dépendance via

View on GitHub

🏎️ Time to Market

Software release pipeline gains everyday a shorter Time To Market.

In fact there is no real option :

maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.

🛡️ Security

We have three complementary ways of achieving security tasks on our pipeline :

  1. Dependabot alerts : so we get Pull Requests to notify us what are the risks
  2. CodeQL Scan as part of GitHub Advanced Security (aka. GHAS)
  3. Docker Image scan (see previous dedicated post)

Then to release software we rely on semantic-release to implement a solid Semantic Versioning scheme and get a

fully automated version management and package publishing pipeline.

🍿 Démo

Here is the full secured & automated release process 👇

🧰 Stack

🔖 Related contents

⛯ Scan Docker images 🛡️

opt-nc

⚖️ Bench (and choose) Java-8 docker images with anchore/grype

adriens for opt-nc ・ Apr 25 '22

#docker #security #devsecops #infosec

🔂 Semantic release demo 🎞️

Semantic release intro demo :

Top comments (0)